Cointime

Cointime

Download App
iOS & Android

Web3 Infrastructure Platform Ankr Suffers $5M Exploit, Let’s Take a Closer Look

Validated Project

TL;DR

On December 02, 2022, the Ankr protocol on BNB chain suffered a governance key compromise, allowing an attacker to mint 10,000,000,000,000 $aBNBc tokens and drain the DEX pool, resulting in the loss of approximately $5 million.

Introduction to Ankr

Ankr is a decentralized Web3 infrastructure provider that helps developers, decentralized applications, and stakers interact easily with an array of blockchains.

Vulnerability Assessment

The root cause of the vulnerability is due to the compromise of their governance key.

Steps

  • The team had announced changes to all Reward Bearing and Earning Tokens token models prior to the incident.
  • The $aBNBc token is an upgradeable token contract, which means that the admin can change the code at any time.
  • The exploiter stole the key of Ankr Deployer and minted himself 10T $aBNBc tokens as viewed from this transaction.
  • The preparator transferred 1.125 $BNB tokens to Ankr Exploiter address as a gas fee by controlling the key of Ankr Deployer, and then began to dump $aBNBc.
  • The attacker also sent between $3 and $4 million involving multiple transactions to the ETH mainnet through the Celer bridge.
  • Additionally, the exploiter used PancakeSwap to exchange $aBNBc tokens for $BNB and $USDC before converting them to $ETH.
  • The $aBNBc-related pool on PancakeSwap has been depleted, and the exploiter has consequently ceased dumping aBNBc.

Aftermath

After the incident, the team issued a statement on Twitter mentioning that they were currently working with exchanges to immediately halt trading. The price of the $ANKR token plummeted and was last observed trading at $0.02168.

In addition, they stated that all the underlying assets on Ankr Staking were safe at this time, and all infrastructure services are unaffected. The team will be drafting a plan to compensating affected users.

How to prevent such an attack vector

The exploiter deployed an attack contract, changed the upgradeable aBNBc contract to the malicious implementation and then minted a massive amount of tokens for his wallet.

This can either be caused due to the compromise of the Deployer key during their migrations, or it could also potentially be an insider job where the attack was planned to coincide with the event.

Multisignature wallets and pause contract events are also industry standard for majority of blockchain team to mitigate against events of such nature to a greater extent.

Protocol, and Platform Security

Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.

Web3
Comments

All Comments

Recommended for you

  • TrumpAI tokens on Ethereum have been RUG

    PeckShield has monitored that the TrumpAI token on the Ethereum blockchain has fallen by 100%. An address starting with 0x935A sold 5,000,000,000,000,000,000,000 TrumpAI tokens, which is about 26.57 WETH (approximately $80,000). Note: rugpull tokens have the same name as legitimate tokens.

  • South Korea’s Monetary Authority: Confirmed to include token delisting standards in the Virtual Asset User Protection Act

    The Financial Supervisory Service (FSS) of South Korea has confirmed that token delisting standards will be included in the "Best Practice for Compliance with the Virtual Asset User Protection Act" released in early June. An official from the Financial Supervisory Service stated in a conversation with Bloomberg on Tuesday that the upcoming "Best Practices for Compliance with the Virtual Asset User Protection Act" will not only include listing standards for virtual assets, but also provide guidance on whether to maintain trading of listed virtual assets. The guidance will provide a basis for cryptocurrency issuers to delist in the event of problems. The guidance will be released from the end of May to early June. Currently, the Financial Supervisory Service is developing guidelines to support self-regulation by cryptocurrency exchanges under the Virtual Asset User Protection Act before it is implemented in July. The plan proposes standards for virtual asset issuance, circulation, and trading support, prohibits the listing of virtual assets with a history of hacking attacks, and requires the release of Korean white papers and technical manuals when listing overseas virtual assets.

  • HKEX CEO: Virtual asset exchanges have become HKEX’s competitors

    On May 10th, Hong Kong Exchanges and Clearing Limited's new CEO, Nicolas Aguzin, stated in an interview with the Shanghai Securities News that HKEX faces competition not only from other securities exchanges, but also from external competitors such as virtual asset exchanges. In order to meet the rapidly evolving demands of customers and technology, HKEX must balance innovation and stable business operations, continuously expand its resources for listed companies, and improve its market services.

  • WOOFi attacker address has transferred 100 ETH to Tornado cash

    PeckShield monitoring shows that the address marked by the WOOFi attacker has transferred 100 ETH to Tornado cash. The WOOFi attacker has already transferred 2200 ETH (worth about $6.5 million) to Tornado cash.

  • Trump will hold a private dinner on the day of the court recess, inviting NFT trading card buyers to attend

    On May 10th, according to sources, former US President Donald Trump will host a dinner at his Mar-a-Lago estate on a day off, inviting NFT trading card buyers to attend. This event is part of Trump's series of non-campaign activities, aimed at balancing his White House campaign and legal disputes. After Stormy Daniels testified in Trump's trial on Tuesday, Trump expressed his desire for campaigning rather than being tied up in court. Despite no public campaign activities on Wednesday, Trump's schedule includes private political meetings.

  • Tether: Deutsche Bank’s analysis lacks clarity and substantive evidence

    According to a report on stablecoins released on May 7, Deutsche Bank analyzed 334 currencies linked to stablecoins and found that 49% of stablecoins had failed during their median lifespan of about eight to ten years. The analysts concluded that most anchored assets in the cryptocurrency field will experience significant "turbulence" caused by speculative sentiment and ultimately suffer some form of decoupling event. Deutsche Bank analysts also pointed out that Tether's reserve transparency was lacking and described the company's solvency as "doubtful".

  • Yesterday, Solana’s on-chain DEX transaction volume surpassed Ethereum, reaching $1.314 billion

    On May 10th, according to DeFiLlama data, the trading volume of Solana's DEX reached 1.314 billion US dollars yesterday, surpassing the trading volume of 1.297 billion US dollars on Ethereum's DEX.

  • US court orders seizure of 279 virtual currency accounts containing criminal proceeds from North Korean hacking

    A US court has ordered the confiscation of 279 virtual currency accounts containing proceeds from North Korean hacker crimes. US District Court Judge Timothy Kelly in Washington, DC approved the federal prosecutor's request for a summary judgment on these accounts and ordered their confiscation on May 8. This ruling means that these accounts are now under the control of the US Department of Treasury.

  • Barcelona-based Web3 Video Games Startup GFAL Raises $3.2M in Seed Funding to Expand Team and Accelerate Production Plans

    Barcelona-based startup GFAL has secured $3.2 million in seed funding from investors including Supercell Ltd and Mitch Lasky. The company plans to use the funds to expand its team and accelerate its game production plans, which leverage AI and Web3 technology for immersive gameplay. GFAL's Elemental Raiders mobile game soft-launched in March 2023, with plans to build on this for a 2024 launch. CEO Manel Sort expressed gratitude for the investment and excitement to work with former colleagues from Digital Chocolate.

  • Wu Jiezhuang, a member of the National Committee of the Chinese People's Political Consultative Conference, suggested that Hong Kong refer to IPO to provide innovative financing models for Web3

    Wu Jiezhuang, a member of the National Committee of the Chinese People's Political Consultative Conference and a member of the Hong Kong Legislative Council, wrote an article in the Hong Kong Wen Wei Po titled "Leading the Digital Economy by Adapting to the Web3 Trend". The article pointed out that developing Web3+ has both advantages and new challenges. The Hong Kong government has taken an important step in the direction of developing Web3 and the digital economy by formulating a short- to medium-term strategic development blueprint, ensuring that policies and resources are in place, and promoting the construction of Web3+ application scenarios. Focusing on Web3, establishing an international innovation financing platform can not only help Hong Kong leverage its traditional financial advantages, but also help it become a global digital technology center. It is suggested to refer to the mature mode of existing enterprises' IPOs in Hong Kong, provide an innovative financing model for Web3, and create a market trend and service competitive advantage to promote the development of the industry and attract upstream and downstream of the industry chain at home and abroad to gather in Hong Kong.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company